]> granicus.if.org Git - apache/commitdiff
With OpenSSL 1.0.2 or later, enable OCSP stapling in a loop based on
authorKaspar Brand <kbrand@apache.org>
Wed, 5 Feb 2014 13:02:35 +0000 (13:02 +0000)
committerKaspar Brand <kbrand@apache.org>
Wed, 5 Feb 2014 13:02:35 +0000 (13:02 +0000)
SSL_CTX_set_current_cert(), near the end of ssl_init_server_ctx.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1564760 13f79535-47bb-0310-9956-ffa450edef68

modules/ssl/ssl_engine_init.c

index 0c6cdd7cf83fbeb37cdab1b3e807a2e76c072a7c..e17f1f682e560ab07374c1b79aaaf388341f991f 100644 (file)
@@ -979,7 +979,14 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
         /* warn about potential cert issues */
         ssl_check_public_cert(s, ptemp, cert, key_id);
 
-#ifdef HAVE_OCSP_STAPLING
+#if defined(HAVE_OCSP_STAPLING) && !defined(SSL_CTRL_SET_CURRENT_CERT)
+        /* 
+         * OpenSSL up to 1.0.1: configure stapling as we go. In 1.0.2
+         * and later, there's SSL_CTX_set_current_cert, which allows
+         * iterating over all certs in an SSL_CTX (including those possibly
+         * loaded via SSLOpenSSLConfCmd Certificate), so for 1.0.2 and
+         * later, we defer to the code in ssl_init_server_ctx.
+         */
         if ((mctx->stapling_enabled == TRUE) &&
             !ssl_stapling_init_cert(s, mctx, cert)) {
             ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02567)
@@ -1305,23 +1312,6 @@ static apr_status_t ssl_init_server_ctx(server_rec *s,
                          "\"SSLOpenSSLConfCmd %s %s\" applied to %s",
                          param->name, param->value, sc->vhost_id);
         }
-#ifdef HAVE_OCSP_STAPLING
-        /*
-         * Special case: if OCSP stapling is enabled, and a certificate
-         * has been loaded via "SSLOpenSSLConfCmd Certificate ...", then
-         * we also need to call ssl_stapling_init_cert here.
-         */
-        if ((sc->server->stapling_enabled == TRUE) &&
-            !strcasecmp(param->name, "Certificate")) {
-            X509 *cert = SSL_CTX_get0_certificate(sc->server->ssl_ctx);
-            if (!cert || !ssl_stapling_init_cert(s, sc->server, cert)) {
-                ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02571)
-                             "Unable to configure certificate loaded "
-                             "from %s for %s for stapling",
-                             param->value, sc->vhost_id);
-            }
-        }
-#endif
     }
     if (SSL_CONF_CTX_finish(cctx) == 0) {
             ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02547)
@@ -1341,6 +1331,32 @@ static apr_status_t ssl_init_server_ctx(server_rec *s,
         return ssl_die(s);
     }
 
+#if defined(HAVE_OCSP_STAPLING) && defined(SSL_CTRL_SET_CURRENT_CERT)
+    /*
+     * OpenSSL 1.0.2 and later allows iterating over all SSL_CTX certs
+     * by means of SSL_CTX_set_current_cert. Enabling stapling at this
+     * (late) point makes sure that we catch both certificates loaded
+     * via SSLCertificateFile and SSLOpenSSLConfCmd Certificate.
+     */
+    if (sc->server->stapling_enabled == TRUE) {
+        X509 *cert;
+        int i = 0;
+        int ret = SSL_CTX_set_current_cert(sc->server->ssl_ctx,
+                                           SSL_CERT_SET_FIRST);
+        while (ret) {
+            cert = SSL_CTX_get0_certificate(sc->server->ssl_ctx);
+            if (!cert || !ssl_stapling_init_cert(s, sc->server, cert)) {
+                ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO()
+                             "Unable to configure certificate %s:%d "
+                             "for stapling", sc->vhost_id, i);
+            }
+            ret = SSL_CTX_set_current_cert(sc->server->ssl_ctx,
+                                           SSL_CERT_SET_NEXT);
+            i++;
+        }
+    }
+#endif
+
 #ifdef HAVE_TLS_SESSION_TICKETS
     if ((rv = ssl_init_ticket_key(s, p, ptemp, sc->server)) != APR_SUCCESS) {
         return rv;